An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Similar documents
[RELEASE NOS ; ; FR-77; File No. S ]

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

FREQUENTLY ASKED QUESTIONS ABOUT INTERNAL CONTROL OVER FINANCIAL REPORTING

Auditing Standards and Practices Council

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

2016 INSPECTION OF BHARAT PARIKH & ASSOCIATES CHARTERED ACCOUNTANTS. Preface

Report on Inspection of PricewaterhouseCoopers Audit (Headquartered in Neuilly-Sur-Seine, French Republic)

Evaluating Internal Controls

Report on Inspection of KAP Purwantono, Sungkoro & Surja (Headquartered in Jakarta, Republic of Indonesia)

Report on Inspection of K. R. Margetson Ltd. (Headquartered in Vancouver, Canada) Public Company Accounting Oversight Board

Report on Inspection of KPMG Auditores Consultores Ltda. (Headquartered in Santiago, Republic of Chile)

) ) ) ) ) ) ) ) ) ) ) )

Report on. Issued by the. Public Company Accounting Oversight Board. June 16, 2016 THIS IS A PUBLIC VERSION OF A PCAOB INSPECTION REPORT

) ) ) ) ) ) ) ) ) ) ) ) REPORTING ON WHETHER A PREVIOUSLY REPORTED MATERIAL WEAKNESS CONTINUES TO EXIST. PCAOB Release No July 26, 2005

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Report on Inspection of Deloitte & Associes (Headquartered in Neuilly-sur-Seine, French Republic) Public Company Accounting Oversight Board

Engagement Quality Review

Inspection of Petrie Raymond, Chartered Accountants L.L.P. (Headquartered in Montreal, Canada) Public Company Accounting Oversight Board

IAASB Main Agenda (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

Corporate Governance Update. SOX 404 and Internal Controls

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

INSTRUCTION ON METHODOLOGY ON PERFORMING FINANCIAL AUDIT AND REGULARITY AUDIT ( Official Gazette of MN, no. 07/15 from 17 th February 2015)

Key Elements of Antifraud Programs and Controls

Report on Inspection of Grant Thornton Auditores Independentes (Headquartered in Sao Paulo, Federative Republic of Brazil)

Public Company Accounting Oversight Board

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements

Checkpoint Contents Accounting, Audit & Corporate Finance Library Editorial Materials Audit and Attest PCAOB Audits Chapter 1 Overview 100 Background

The Auditor s Communication With Those Charged With Governance

FINANCIAL INSTITUTIONS AUDIT COMMITTEE GUIDE FOR FINANCIAL INSTITUTIONS

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

STANDING ADVISORY GROUP MEETING

An Overview of the 2013 COSO Framework. August 2013

STATEMENT OF AUDITING STANDARDS 500 AUDIT EVIDENCE

Auditing Standard 16

PART 6 - INTERNAL CONTROL

February 23, Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards

INTERNATIONAL STANDARD ON AUDITING (IRELAND) 210 AGREEING THE TERMS OF AUDIT ENGAGEMENTS

Chapter 7. Auditing Internal Control over Financial Reporting. Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

AICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS. Effective for Peer Reviews Commencing on or After January 1, 2009

SRI LANKA AUDITING STANDARD 600 SPECIAL CONSIDERATIONS AUDITS OF GROUP FINANCIAL STATEMENTS (INCLUDING THE WORK OF COMPONENT AUDITORS) CONTENTS

Auditing Standards and Practices Council

and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Report on Inspection of Deloitte, S.L. (Headquartered in Madrid, Kingdom of Spain) Public Company Accounting Oversight Board

INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

ABA Section of Business Law. Internal Control Reporting Under Section 404: An Update and Current Assessment. November 19, 2004

FIAT CHRYSLER AUTOMOBILES N.V. AUDIT COMMITTEE CHARTER

BIO-RAD LABORATORIES, INC. (the Company ) Audit Committee Charter

AICPA ACCOUNTING AND AUDIT MANUAL 1

AICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

REGISTERED CANDIDATE AUDITOR (RCA) TECHNICAL COMPETENCE REQUIREMENTS

Reporting on Pro Forma Financial Information

OSHKOSH CORPORATION BOARD OF DIRECTORS AUDIT COMMITTEE CHARTER. As Amended as of May 9, 2016

AUDITING. Auditing PAGE 1

IAASB CAG Public Session (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

ASB Meeting January 12-15, 2015

May 3, To the Jail Board Members and Management Western Tidewater Regional Jail Authority 2402 Godwin Blvd Suffolk, Virginia 23434

Report on Inspection of KPMG Audit Limited (Headquartered in Hamilton, Bermuda) Public Company Accounting Oversight Board

Audit programs that can be easily tailored to address the risks associated with your individual audit engagements. 2

Report on Inspection of Navarro Amper & Co. (Headquartered in Taguig City, Republic of the Philippines)

AUDIT COMMITTEE CHARTER REINSURANCE GROUP OF AMERICA, INCORPORATED. the audits of the Company s financial statements;

General Principles for Engagements Performed in Accordance With Statements on Standards for Accounting and Review Services

Internal Control Questionnaire and Assessment

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

Report on Inspection of KPMG SAS (Headquartered in Bogota, Republic of Colombia) Public Company Accounting Oversight Board

SOUTHWEST AIRLINES CO. AUDIT COMMITTEE CHARTER

AUDIT COMMITTEE CHARTER. Specifically, the Audit Committee is responsible for overseeing that:

AUDIT COMMITTEE CHARTER

BioAmber Inc. Audit Committee Charter

Internal Control Questionnaire and Assessment

EFFICIENT USE OF AUDIT COMMITTEES

ASB Meeting July 30-August 1, 2013

AUDIT COMMITTEE CHARTER DATED AS OF AUGUST 5, 2010

US U.S. AAM vs. DTTL AAM A Refresher Deloitte Touche Tohmatsu

Negotiating in a Sarbanes-Oxley World

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

General Principles for Engagements Performed in Accordance With Statements on Standards for Accounting and Review Services

GROUP 1 AUTOMOTIVE, INC. AUDIT COMMITTEE CHARTER

The Audit Committee of the Supervisory Board of CB&I

AUDIT COMMITTEE CHARTER

BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Audit Committee of the Board of Directors Charter CNL HEALTHCARE PROPERTIES II, INC.

Checklist for Higher Education

Special Inspection of Seale and Beers, CPAs, LLC (Headquartered in Las Vegas, Nevada) Public Company Accounting Oversight Board

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF MULESOFT, INC.

Auditor Objectivity and Skepticism What s Next?

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

Audit Risk. Exposure Draft. IFAC International Auditing and Assurance Standards Board. October Response Due Date March 31, 2003

The Auditor s Responses to Assessed Risks

Transcription:

AUDITING STANDARD No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements March 9, 2004 AUDITING AND RELATED PROFESSIONAL PRACTICE STANDARDS Auditing Standard No. 2 An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements [Effective pursuant to SEC Release No. 34-49884; File No. PCAOB-2004-03, June 17, 2004] 136

Table of Contents Paragraph APPLICABILITY OF STANDARD... 1-3 AUDITOR'S OBJECTIVE IN AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING... 4-6 DEFINITIONS RELATED TO INTERNAL CONTROL OVER FINANCIAL REPORTING... 7-12 FRAMEWORK USED BY MANAGEMENT TO CONDUCT ITS ASSESSMENT... 13-15 Committee of Sponsoring Organizations Framework... 14-15 INHERENT LIMITATIONS IN INTERNAL CONTROL OVER FINANCIAL REPORTING... 16 THE CONCEPT OF REASONABLE ASSURANCE... 17-19 MANAGEMENT'S RESPONSIBILITIES IN AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING... 20-21 MATERIALITY CONSIDERATIONS IN AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING... 22-23 FRAUD CONSIDERATIONS IN AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING... 24-26 PERFORMING AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING... 27-141 Applying General, Fieldwork, and Reporting Standards... 30-38 Technical Training and Proficiency... 31 Independence... 32-35 Due Professional Care... 36 Fieldwork and Reporting Standards... 37-38 Planning the Engagement... 39 Evaluating Management's Assessment Process... 40-46 Management's Documentation... 42-46 Obtaining an Understanding of Internal Control Over Financial Reporting... 47-87 Identifying Company-Level Controls... 52-54 Evaluating the Effectiveness of the Audit Committee's Oversight of the Company's External Financial Reporting and Internal Control Over Financial Reporting... 55-59 Identifying Significant Accounts... 60-67 Identifying Relevant Financial Statement Assertions... 68-70 Identifying Significant Processes and Major Classes of Transactions... 71-75 137

Understanding the Period-end Financial Reporting Process... 76-78 Performing Walkthroughs... 79-82 Identifying Controls to Test... 83-87 Testing and Evaluating Design Effectiveness... 88-91 Testing and Evaluating Operating Effectiveness... 92-107 Nature of Tests of Controls... 93-97 Timing of Tests of Controls... 98-103 Extent of Tests of Controls... 104-105 Use of Professional Skepticism when Evaluating the Results of Testing... 106-107 Using the Work of Others... 108-126 Evaluating the Nature of the Controls Subjected to the Work of Others... 112-116 Evaluating the Competence and Objectivity of Others... 117-122 Testing the Work of Others... 123-126 Forming an Opinion on the Effectiveness of Internal Control Over Financial Reporting... 127-141 Issuing an Unqualified Opinion... 129 Evaluating Deficiencies in Internal Control Over Financial Reporting... 130-141 REQUIREMENT FOR WRITTEN REPRESENTATIONS... 142-144 RELATIONSHIP OF AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING TO AN AUDIT OF FINANCIAL STATEMENTS... 145-158 Tests of Controls in an Audit of Internal Control Over Financial Reporting... 147-149 Tests of Controls in an Audit of Financial Statements... 150-151 Effect of Tests of Controls on Substantive Procedures... 152-156 Effect of Substantive Procedures on the Auditor's Conclusions About the Operating Effectiveness of Controls... 157-158 DOCUMENTATION REQUIREMENTS... 159-161 REPORTING ON INTERNAL CONTROL OVER FINANCIAL REPORTING... 162-199 Management's Report... 162-165 Auditor's Evaluation of Management's Report... 166 Auditor's Report on Management's Assessment of Internal Control Over Financial Reporting... 167-199 Separate or Combined Reports... 169-170 Report Date... 171-172 Report Modifications... 173 Management's Assessment Inadequate or Report Inappropriate... 174 Material Weaknesses... 175-177 Scope Limitations... 178-181 Opinions Based, in Part, on the Report of Another Auditor... 182-185 138

Subsequent Events... 186-189 Management's Report Containing Additional Information... 190-192 Effect of Auditor's Adverse Opinion on Internal Control Over Financial Reporting on the Opinion on Financial Statements... 193-196 Subsequent Discovery of Information Existing at the Date of the Auditor's Report on Internal Control Over Financial Reporting... 197 Filings Under Federal Securities Statutes... 198-199 AUDITOR'S RESPONSIBILITIES FOR EVALUATING MANAGEMENT'S CERTIFICATION DISCLOSURES ABOUT INTERNAL CONTROL OVER FINANCIAL REPORTING... 200-206 Required Management Certifications... 200-201 Auditor Evaluation Responsibilities... 202-206 REQUIRED COMMUNICATIONS IN AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING... 207-214 EFFECTIVE DATE... 215-216 Appendix A Appendix B Appendix C Appendix D Appendix E Illustrative Reports on Internal Control Over Financial Reporting Additional Performance Requirements and Directions; Extent-of- Testing Examples Safeguarding of Assets Examples of Significant Deficiencies and Material Weaknesses Background and Basis for Conclusions 139

Applicability of Standard 1. This standard establishes requirements and provides directions that apply when an auditor is engaged to audit both a company's financial statements and management's assessment of the effectiveness of internal control over financial reporting. Note: The term auditor includes both public accounting firms registered with the Public Company Accounting Oversight Board ("PCAOB" or the "Board") and associated persons thereof. 2. A company subject to the reporting requirements of the Securities Exchange Act of 1934 (an "issuer") is required to include in its annual report a report of management on the company's internal control over financial reporting. Registered investment companies, issuers of asset-backed securities, and nonpublic companies are not subject to the reporting requirements mandated by Section 404 of the Sarbanes-Oxley Act of 2002 (the "Act") (PL 107-204). The report of management is required to contain management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether the company's internal control over financial reporting is effective. The auditor that audits the company's financial statements included in the annual report is required to attest to and report on management's assessment. The company is required to file the auditor's attestation report as part of the annual report. Note: The term issuer means an issuer (as defined in Section 3 of the Securities Exchange Act of 1934), the securities of which are registered under Section 12 of that Act, or that is required to file reports under Section 15(d) of that Act, or that files or has filed a registration statement with the Securities and Exchange Commission ("SEC" or "Commission") that has not yet become effective under the Securities Act of 1933, and that it has not withdrawn. Note: Various parts of this standard summarize legal requirements imposed on issuers by the SEC, as well as legal requirements imposed on auditors by regulatory authorities other than the PCAOB. These parts of the standard are intended to provide context and to promote the auditor's understanding of the relationship between his or her obligations under this standard and his or her other legal responsibilities. The standard does not incorporate these legal requirements by reference and is not an interpretation of those other requirements and should not be so construed. (This Note does not apply to references in the standard to the existing professional standards and the Board's interim auditing and related professional practice standards.) 3. This standard is the standard on attestation engagements referred to in Section 404(b) of the Act. This standard is also the standard referred to in Section 140

103(a)(2)(A)(iii) of the Act. Throughout this standard, the auditor's attestation of management's assessment of the effectiveness of internal control over financial reporting required by Section 404(b) of the Act is referred to as the audit of internal control over financial reporting. Note: The two terms audit of internal control over financial reporting and attestation of management's assessment of the effectiveness of internal control over financial reporting refer to the same professional service. The first refers to the process, and the second refers to the result of that process. Auditor's Objective in an Audit of Internal Control Over Financial Reporting 4. The auditor's objective in an audit of internal control over financial reporting is to express an opinion on management's assessment of the effectiveness of the company's internal control over financial reporting. To form a basis for expressing such an opinion, the auditor must plan and perform the audit to obtain reasonable assurance about whether the company maintained, in all material respects, effective internal control over financial reporting as of the date specified in management's assessment. The auditor also must audit the company's financial statements as of the date specified in management's assessment because the information the auditor obtains during a financial statement audit is relevant to the auditor's conclusion about the effectiveness of the company's internal control over financial reporting. Maintaining effective internal control over financial reporting means that no material weaknesses exist; therefore, the objective of the audit of internal control over financial reporting is to obtain reasonable assurance that no material weaknesses exist as of the date specified in management's assessment. 5. To obtain reasonable assurance, the auditor evaluates the assessment performed by management and obtains and evaluates evidence about whether the internal control over financial reporting was designed and operated effectively. The auditor obtains this evidence from a number of sources, including using the work performed by others and performing auditing procedures himself or herself. 6. The auditor should be aware that persons who rely on the information concerning internal control over financial reporting include investors, creditors, the board of directors and audit committee, and regulators in specialized industries, such as banking or insurance. The auditor should be aware that external users of financial statements are interested in information on internal control over financial reporting because it enhances the quality of financial reporting and increases their confidence in financial information, including financial information issued between annual reports, such as quarterly information. Information on internal control over financial reporting is also intended to provide an early warning to those inside and outside the company who are in a position to insist on improvements in internal control over financial reporting, such 141

as the audit committee and regulators in specialized industries. Additionally, Section 302 of the Act and Securities Exchange Act Rule 13a-14(a) or 15d-14(a), 1/ whichever applies, require management, with the participation of the principal executive and financial officers, to make quarterly and annual certifications with respect to the company's internal control over financial reporting. Definitions Related to Internal Control Over Financial Reporting 7. For purposes of management's assessment and the audit of internal control over financial reporting in this standard, internal control over financial reporting is defined as follows: A process designed by, or under the supervision of, the company's principal executive and principal financial officers, or persons performing similar functions, and effected by the company's board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: (1) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company; (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the company are being made only in accordance with authorizations of management and directors of the company; and (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the company's assets that could have a material effect on the financial statements. Note: This definition is the same one used by the SEC in its rules requiring management to report on internal control over financial reporting, except the word "registrant" has been changed to "company" to conform to the wording in this standard. (See Securities Exchange Act Rules 13a-15(f) and 15d-15(f). 2/ ) 1/ applies. 2/ See 17 C.F.R. 240.13a-14(a) or 17 C.F.R. 240.15d-14(a), whichever See 17 C.F.R. 240, 13a-15(f) and 15d-15(f). 142

Note: Throughout this standard, internal control over financial reporting (singular) refers to the process described in this paragraph. Individual controls or subsets of controls are referred to as controls or controls over financial reporting. 8. A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively. 9. A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the company's ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the company's annual or interim financial statements that is more than inconsequential will not be prevented or detected. Note: The term "remote likelihood" as used in the definitions of significant deficiency and material weakness (paragraph 10) has the same meaning as the term "remote" as used in Financial Accounting Standards Board Statement No. 5, Accounting for Contingencies ("FAS No. 5"). Paragraph 3 of FAS No. 5 states: When a loss contingency exists, the likelihood that the future event or events will confirm the loss or impairment of an asset or the incurrence of a liability can range from probable to remote. This Statement uses the terms probable, reasonably possible, and remote to identify three areas within that range, as follows: a. Probable. The future event or events are likely to occur. b. Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely. c. Remote. The chance of the future events or events occurring is slight. Therefore, the likelihood of an event is "more than remote" when it is either reasonably possible or probable. 143

Note: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. 10. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. Note: In evaluating whether a control deficiency exists and whether control deficiencies, either individually or in combination with other control deficiencies, are significant deficiencies or material weaknesses, the auditor should consider the definitions in paragraphs 8, 9 and 10, and the directions in paragraphs 130 through 137. As explained in paragraph 23, the evaluation of the materiality of the control deficiency should include both quantitative and qualitative considerations. Qualitative factors that might be important in this evaluation include the nature of the financial statement accounts and assertions involved and the reasonably possible future consequences of the deficiency. Furthermore, in determining whether a control deficiency or combination of deficiencies is a significant deficiency or a material weakness, the auditor should evaluate the effect of compensating controls and whether such compensating controls are effective. 11. Controls over financial reporting may be preventive controls or detective controls. Preventive controls have the objective of preventing errors or fraud from occurring in the first place that could result in a misstatement of the financial statements. Detective controls have the objective of detecting errors or fraud that have already occurred that could result in a misstatement of the financial statements. 12. Even well-designed controls that are operating as designed might not prevent a misstatement from occurring. However, this possibility may be countered by overlapping preventive controls or partially countered by detective controls. Therefore, effective internal control over financial reporting often includes a combination of preventive and detective controls to achieve a specific control objective. The auditor's procedures as part of either the audit of internal control over financial reporting or the audit of the financial statements are not part of a company's internal control over financial reporting. 144

Framework Used by Management to Conduct Its Assessment 13. Management is required to base its assessment of the effectiveness of the company's internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due-process procedures, including the broad distribution of the framework for public comment. In addition to being available to users of management's reports, a framework is suitable only when it: Is free from bias; Permits reasonably consistent qualitative and quantitative measurements of a company's internal control over financial reporting; Is sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of a company's internal control over financial reporting are not omitted; and Is relevant to an evaluation of internal control over financial reporting. Committee of Sponsoring Organizations Framework 14. In the United States, the Committee of Sponsoring Organizations ("COSO") of the Treadway Commission has published Internal Control Integrated Framework. Known as the COSO report, it provides a suitable and available framework for purposes of management's assessment. For that reason, the performance and reporting directions in this standard are based on the COSO framework. Other suitable frameworks have been published in other countries and may be developed in the future. Such other suitable frameworks may be used in an audit of internal control over financial reporting. Although different frameworks may not contain exactly the same elements as COSO, they should have elements that encompass, in general, all the themes in COSO. Therefore, the auditor should be able to apply the concepts and guidance in this standard in a reasonable manner. 15. The COSO framework identifies three primary objectives of internal control: efficiency and effectiveness of operations, financial reporting, and compliance with laws and regulations. The COSO perspective on internal control over financial reporting does not ordinarily include the other two objectives of internal control, which are the effectiveness and efficiency of operations and compliance with laws and regulations. However, the controls that management designs and implements may achieve more than one objective. Also, operations and compliance with laws and regulations directly related to the presentation of and required disclosures in financial statements are encompassed in internal control over financial reporting. Additionally, not all controls relevant to financial reporting are accounting controls. Accordingly, all controls that 145

could materially affect financial reporting, including controls that focus primarily on the effectiveness and efficiency of operations or compliance with laws and regulations and also have a material effect on the reliability of financial reporting, are a part of internal control over financial reporting. More information about the COSO framework is included in the COSO report and in AU sec. 319, Consideration of Internal Control in a Financial Statement Audit. 3/ The COSO report also discusses special considerations for internal control over financial reporting for small and medium-sized companies. Inherent Limitations in Internal Control Over Financial Reporting 16. Internal control over financial reporting cannot provide absolute assurance of achieving financial reporting objectives because of its inherent limitations. Internal control over financial reporting is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. Internal control over financial reporting also can be circumvented by collusion or improper management override. Because of such limitations, there is a risk that material misstatements may not be prevented or detected on a timely basis by internal control over financial reporting. However, these inherent limitations are known features of the financial reporting process. Therefore, it is possible to design into the process safeguards to reduce, though not eliminate, this risk. The Concept of Reasonable Assurance 17. Management's assessment of the effectiveness of internal control over financial reporting is expressed at the level of reasonable assurance. The concept of reasonable assurance is built into the definition of internal control over financial reporting and also is integral to the auditor's opinion. 4/ Reasonable assurance includes the understanding that there is a remote likelihood that material misstatements will not be prevented or detected on a timely basis. Although not absolute assurance, reasonable assurance is, nevertheless, a high level of assurance. 3/ The Board adopted the generally accepted auditing standards, as described in the AICPA Auditing Standards Board's ("ASB") Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards, as in existence on April 16, 2003, on an initial, transitional basis. The Statements on Auditing Standards promulgated by the ASB have been codified into the AICPA Professional Standards, Volume 1, as AU sections 100 through 900. References in this standard to AU sections refer to those generally accepted auditing standards, as adopted on an interim basis in PCAOB Rule 3200T. 4/ See Final Rule: Management's Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Securities and Exchange Commission Release No. 33-8238 (June 5, 2003) [68 FR 36636] for further discussion of reasonable assurance. 146

18. Just as there are inherent limitations on the assurance that effective internal control over financial reporting can provide, as discussed in paragraph 16, there are limitations on the amount of assurance the auditor can obtain as a result of performing his or her audit of internal control over financial reporting. Limitations arise because an audit is conducted on a test basis and requires the exercise of professional judgment. Nevertheless, the audit of internal control over financial reporting includes obtaining an understanding of internal control over financial reporting, testing and evaluating the design and operating effectiveness of internal control over financial reporting, and performing such other procedures as the auditor considers necessary to obtain reasonable assurance about whether internal control over financial reporting is effective. 19. There is no difference in the level of work performed or assurance obtained by the auditor when expressing an opinion on management's assessment of effectiveness or when expressing an opinion directly on the effectiveness of internal control over financial reporting. In either case, the auditor must obtain sufficient evidence to provide a reasonable basis for his or her opinion and the use and evaluation of management's assessment is inherent in expressing either opinion. Note: The auditor's report on internal control over financial reporting does not relieve management of its responsibility for assuring users of its financial reports about the effectiveness of internal control over financial reporting. Management's Responsibilities in an Audit of Internal Control Over Financial Reporting 20. For the auditor to satisfactorily complete an audit of internal control over financial reporting, management must do the following: 5/ a. Accept responsibility for the effectiveness of the company's internal control over financial reporting; b. Evaluate the effectiveness of the company's internal control over financial reporting using suitable control criteria; c. Support its evaluation with sufficient evidence, including documentation; and d. Present a written assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year. 5/ Management is required to fulfill these responsibilities. See Items 308(a) and (c) of Regulation S-B and S-K, 17 C.F.R. 228.308 (a) and (c) and 229.308 (a) and (c), respectively. 147

21. If the auditor concludes that management has not fulfilled the responsibilities enumerated in the preceding paragraph, the auditor should communicate, in writing, to management and the audit committee that the audit of internal control over financial reporting cannot be satisfactorily completed and that he or she is required to disclaim an opinion. Paragraphs 40 through 46 provide information for the auditor about evaluating management's process for assessing internal control over financial reporting. Materiality Considerations in an Audit of Internal Control Over Financial Reporting 22. The auditor should apply the concept of materiality in an audit of internal control over financial reporting at both the financial-statement level and at the individual account-balance level. The auditor uses materiality at the financial-statement level in evaluating whether a deficiency, or combination of deficiencies, in controls is a significant deficiency or a material weakness. Materiality at both the financial-statement level and the individual account-balance level is relevant to planning the audit and designing procedures. Materiality at the account-balance level is necessarily lower than materiality at the financial-statement level. 23. The same conceptual definition of materiality that applies to financial reporting applies to information on internal control over financial reporting, including the relevance of both quantitative and qualitative considerations. 6/ The quantitative considerations are essentially the same as in an audit of financial statements and relate to whether misstatements that would not be prevented or detected by internal control over financial reporting, individually or collectively, have a quantitatively material effect on the financial statements. The qualitative considerations apply to evaluating materiality with respect to the financial statements and to additional factors that relate to the perceived needs of reasonable persons who will rely on the information. Paragraph 6 describes some qualitative considerations. Fraud Considerations in an Audit of Internal Control Over Financial Reporting 24. The auditor should evaluate all controls specifically intended to address the risks of fraud that have at least a reasonably possible likelihood of having a material effect on the company's financial statements. These controls may be a part of any of the five 6/ AU sec. 312, Audit Risk and Materiality in Conducting an Audit, provides additional explanation of materiality. 148

components of internal control over financial reporting, as discussed in paragraph 49. Controls related to the prevention and detection of fraud often have a pervasive effect on the risk of fraud. Such controls include, but are not limited to, the: Controls restraining misappropriation of company assets that could result in a material misstatement of the financial statements; Company's risk assessment processes; Code of ethics/conduct provisions, especially those related to conflicts of interest, related party transactions, illegal acts, and the monitoring of the code by management and the audit committee or board; Adequacy of the internal audit activity and whether the internal audit function reports directly to the audit committee, as well as the extent of the audit committee's involvement and interaction with internal audit; and Adequacy of the company's procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters. 25. Part of management's responsibility when designing a company's internal control over financial reporting is to design and implement programs and controls to prevent, deter, and detect fraud. Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud. When management and those responsible for the oversight of the financial reporting process fulfill those responsibilities, the opportunities to commit fraud can be reduced significantly. 26. In an audit of internal control over financial reporting, the auditor's evaluation of controls is interrelated with the auditor's evaluation of controls in a financial statement audit, as required by AU sec. 316, Consideration of Fraud in a Financial Statement Audit. Often, controls identified and evaluated by the auditor during the audit of internal control over financial reporting also address or mitigate fraud risks, which the auditor is required to consider in a financial statement audit. If the auditor identifies deficiencies in controls designed to prevent and detect fraud during the audit of internal control over financial reporting, the auditor should alter the nature, timing, or extent of procedures to be performed during the financial statement audit to be responsive to such deficiencies, as provided in paragraphs.44 and.45 of AU sec. 316. 149

Performing an Audit of Internal Control Over Financial Reporting 27. In an audit of internal control over financial reporting, the auditor must obtain sufficient competent evidence about the design and operating effectiveness of controls over all relevant financial statement assertions related to all significant accounts and disclosures in the financial statements. The auditor must plan and perform the audit to obtain reasonable assurance that deficiencies that, individually or in the aggregate, would represent material weaknesses are identified. Thus, the audit is not designed to detect deficiencies in internal control over financial reporting that, individually or in the aggregate, are less severe than a material weakness. Because of the potential significance of the information obtained during the audit of the financial statements to the auditor's conclusions about the effectiveness of internal control over financial reporting, the auditor cannot audit internal control over financial reporting without also auditing the financial statements. Note: However, the auditor may audit the financial statements without also auditing internal control over financial reporting, for example, in the case of certain initial public offerings by a company. See the discussion beginning at paragraph 145 for more information about the importance of auditing both internal control over financial reporting as well as the financial statements when the auditor is engaged to audit internal control over financial reporting. 28. The auditor must adhere to the general standards (See paragraphs 30 through 36) and fieldwork and reporting standards (See paragraph 37) in performing an audit of a company's internal control over financial reporting. This involves the following: a. Planning the engagement; b. Evaluating management's assessment process; c. Obtaining an understanding of internal control over financial reporting; d. Testing and evaluating design effectiveness of internal control over financial reporting; e. Testing and evaluating operating effectiveness of internal control over financial reporting; and f. Forming an opinion on the effectiveness of internal control over financial reporting. 29. Even though some requirements of this standard are set forth in a manner that suggests a sequential process, auditing internal control over financial reporting involves a process of gathering, updating, and analyzing information. Accordingly, the auditor 150

may perform some of the procedures and evaluations described in this section on "Performing an Audit of Internal Control Over Financial Reporting" concurrently. Applying General, Fieldwork, and Reporting Standards 30. The general standards (See AU sec. 150, Generally Accepted Auditing Standards) are applicable to an audit of internal control over financial reporting. These standards require technical training and proficiency as an auditor, independence in fact and appearance, and the exercise of due professional care, including professional skepticism. 31. Technical Training and Proficiency. To perform an audit of internal control over financial reporting, the auditor should have competence in the subject matter of internal control over financial reporting. 32. Independence. The applicable requirements of independence are largely predicated on four basic principles: (1) an auditor must not act as management or as an employee of the audit client, (2) an auditor must not audit his or her own work, (3) an auditor must not serve in a position of being an advocate for his or her client, and (4) an auditor must not have mutual or conflicting interests with his or her audit client. 7/ If the auditor were to design or implement controls, that situation would place the auditor in a management role and result in the auditor auditing his or her own work. These requirements, however, do not preclude the auditor from making substantive recommendations as to how management may improve the design or operation of the company's internal controls as a by-product of an audit. 33. The auditor must not accept an engagement to provide internal control-related services to an issuer for which the auditor also audits the financial statements unless that engagement has been specifically pre-approved by the audit committee. For any internal control services the auditor provides, management must be actively involved and cannot delegate responsibility for these matters to the auditor. Management's involvement must be substantive and extensive. Management's acceptance of responsibility for documentation and testing performed by the auditor does not by itself satisfy the independence requirements. 34. Maintaining independence, in fact and appearance, requires careful attention, as is the case with all independence issues when work concerning internal control over financial reporting is performed. Unless the auditor and the audit committee are diligent in evaluating the nature and extent of services provided, the services might violate basic principles of independence and cause an impairment of independence in fact or appearance. 01. 7/ See the Preliminary Note of Rule 2-01 of Regulation S-X, 17 C.F.R. 210.2-151

35. The independent auditor and the audit committee have significant and distinct responsibilities for evaluating whether the auditor's services impair independence in fact or appearance. The test for independence in fact is whether the activities would impede the ability of anyone on the engagement team or in a position to influence the engagement team from exercising objective judgment in the audits of the financial statements or internal control over financial reporting. The test for independence in appearance is whether a reasonable investor, knowing all relevant facts and circumstances, would perceive an auditor as having interests which could jeopardize the exercise of objective and impartial judgments on all issues encompassed within the auditor's engagement. 36. Due Professional Care. The auditor must exercise due professional care in an audit of internal control over financial reporting. One important tenet of due professional care is exercising professional skepticism. In an audit of internal control over financial reporting, exercising professional skepticism involves essentially the same considerations as in an audit of financial statements, that is, it includes a critical assessment of the work that management has performed in evaluating and testing controls. 37. Fieldwork and Reporting Standards. This standard establishes the fieldwork and reporting standards applicable to an audit of internal control over financial reporting. 38. The concept of materiality, as discussed in paragraphs 22 and 23, underlies the application of the general and fieldwork standards. Planning the Engagement 39. The audit of internal control over financial reporting should be properly planned and assistants, if any, are to be properly supervised. When planning the audit of internal control over financial reporting, the auditor should evaluate how the following matters will affect the auditor's procedures: Knowledge of the company's internal control over financial reporting obtained during other engagements. Matters affecting the industry in which the company operates, such as financial reporting practices, economic conditions, laws and regulations, and technological changes. Matters relating to the company's business, including its organization, operating characteristics, capital structure, and distribution methods. 152

The extent of recent changes, if any, in the company, its operations, or its internal control over financial reporting. Management's process for assessing the effectiveness of the company's internal control over financial reporting based upon control criteria. Preliminary judgments about materiality, risk, and other factors relating to the determination of material weaknesses. Control deficiencies previously communicated to the audit committee or management. Legal or regulatory matters of which the company is aware. The type and extent of available evidence related to the effectiveness of the company's internal control over financial reporting. Preliminary judgments about the effectiveness of internal control over financial reporting. The number of significant business locations or units, including management's documentation and monitoring of controls over such locations or business units. (Appendix B, paragraphs B1 through B17, discusses factors the auditor should evaluate to determine the locations at which to perform auditing procedures.) Evaluating Management's Assessment Process 40. The auditor must obtain an understanding of, and evaluate, management's process for assessing the effectiveness of the company's internal control over financial reporting. When obtaining the understanding, the auditor should determine whether management has addressed the following elements: Determining which controls should be tested, including controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include: Controls over initiating, authorizing, recording, processing, and reporting significant accounts and disclosures and related assertions embodied in the financial statements. Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles. 153

Antifraud programs and controls. Controls, including information technology general controls, on which other controls are dependent. Controls over significant nonroutine and nonsystematic transactions, such as accounts involving judgments and estimates. Company level controls (as described in paragraph 53), including: The control environment and Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; to initiate, authorize, record, and process journal entries in the general ledger; and to record recurring and nonrecurring adjustments to the financial statements (for example, consolidating adjustments, report combinations, and reclassifications). Note: References to the period-end financial reporting process in this standard refer to the preparation of both annual and quarterly financial statements. Evaluating the likelihood that failure of the control could result in a misstatement, the magnitude of such a misstatement, and the degree to which other controls, if effective, achieve the same control objectives. Determining the locations or business units to include in the evaluation for a company with multiple locations or business units (See paragraphs B1 through B17). Evaluating the design effectiveness of controls. Evaluating the operating effectiveness of controls based on procedures sufficient to assess their operating effectiveness. Examples of such procedures include testing of the controls by internal audit, testing of controls by others under the direction of management, using a service organization's reports (See paragraphs B18 through B29), inspection of evidence of the application of controls, or testing by means of a selfassessment process, some of which might occur as part of management's ongoing monitoring activities. Inquiry alone is not adequate to complete this evaluation. To evaluate the effectiveness of the company's internal control over financial reporting, management must have evaluated 154

controls over all relevant assertions related to all significant accounts and disclosures. Determining the deficiencies in internal control over financial reporting that are of such a magnitude and likelihood of occurrence that they constitute significant deficiencies or material weaknesses. Communicating findings to the auditor and to others, if applicable. Evaluating whether findings are reasonable and support management's assessment. 41. As part of the understanding and evaluation of management's process, the auditor should obtain an understanding of the results of procedures performed by others. Others include internal audit and third parties working under the direction of management, including other auditors and accounting professionals engaged to perform procedures as a basis for management's assessment. Inquiry of management and others is the beginning point for obtaining an understanding of internal control over financial reporting, but inquiry alone is not adequate for reaching a conclusion on any aspect of internal control over financial reporting effectiveness. Note: Management cannot use the auditor's procedures as part of the basis for its assessment of the effectiveness of internal control over financial reporting. 42. Management's Documentation. When determining whether management's documentation provides reasonable support for its assessment, the auditor should evaluate whether such documentation includes the following: The design of controls over all relevant assertions related to all significant accounts and disclosures in the financial statements. The documentation should include the five components of internal control over financial reporting as discussed in paragraph 49, including the control environment and company-level controls as described in paragraph 53; Information about how significant transactions are initiated, authorized, recorded, processed and reported; Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur; Controls designed to prevent or detect fraud, including who performs the controls and the related segregation of duties; Controls over the period-end financial reporting process; 155

Controls over safeguarding of assets (See paragraphs C1 through C6); and The results of management's testing and evaluation. 43. Documentation might take many forms, such as paper, electronic files, or other media, and can include a variety of information, including policy manuals, process models, flowcharts, job descriptions, documents, and forms. The form and extent of documentation will vary depending on the size, nature, and complexity of the company. 44. Documentation of the design of controls over relevant assertions related to significant accounts and disclosures is evidence that controls related to management's assessment of the effectiveness of internal control over financial reporting, including changes to those controls, have been identified, are capable of being communicated to those responsible for their performance, and are capable of being monitored by the company. Such documentation also provides the foundation for appropriate communication concerning responsibilities for performing controls and for the company's evaluation of and monitoring of the effective operation of controls. 45. Inadequate documentation of the design of controls over relevant assertions related to significant accounts and disclosures is a deficiency in the company's internal control over financial reporting. As discussed in paragraph 138, the auditor should evaluate this documentation deficiency. The auditor might conclude that the deficiency is only a deficiency, or that the deficiency represents a significant deficiency or a material weakness. In evaluating the deficiency as to its significance, the auditor should determine whether management can demonstrate the monitoring component of internal control over financial reporting. 46. Inadequate documentation also could cause the auditor to conclude that there is a limitation on the scope of the engagement. Obtaining an Understanding of Internal Control Over Financial Reporting 47. The auditor should obtain an understanding of the design of specific controls by applying procedures that include: Making inquiries of appropriate management, supervisory, and staff personnel; Inspecting company documents; Observing the application of specific controls; and 156

Tracing transactions through the information system relevant to financial reporting. 48. The auditor could also apply additional procedures to obtain an understanding of the design of specific controls. 49. The auditor must obtain an understanding of the design of controls related to each component of internal control over financial reporting, as discussed below. Control Environment. Because of the pervasive effect of the control environment on the reliability of financial reporting, the auditor's preliminary judgment about its effectiveness often influences the nature, timing, and extent of the tests of operating effectiveness considered necessary. Weaknesses in the control environment should cause the auditor to alter the nature, timing, or extent of tests of operating effectiveness that otherwise should have been performed in the absence of the weaknesses. Risk Assessment. When obtaining an understanding of the company's risk assessment process, the auditor should evaluate whether management has identified the risks of material misstatement in the significant accounts and disclosures and related assertions of the financial statements and has implemented controls to prevent or detect errors or fraud that could result in material misstatements. For example, the risk assessment process should address how management considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions. Control Activities. The auditor's understanding of control activities relates to the controls that management has implemented to prevent or detect errors or fraud that could result in material misstatement in the accounts and disclosures and related assertions of the financial statements. For the purposes of evaluating the effectiveness of internal control over financial reporting, the auditor's understanding of control activities encompasses a broader range of accounts and disclosures than what is normally obtained for the financial statement audit. Information and Communication. The auditor's understanding of management's information and communication involves understanding the same systems and processes that he or she addresses in an audit of financial statements. In addition, this understanding includes a greater emphasis on comprehending the safeguarding controls and the processes for authorization of transactions and the maintenance of records, as well 157

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback